video-quick-gen 安全扫描报告 — 可信 | ClawSafe

10 /100

video-quick-gen

营销视频生成服务，通过小念AI的视频模块快速生成营销视频

Video generation skill with straightforward HTTP API calls and file download functionality, fully aligned with declared documentation.

技能名称video-quick-gen

分析耗时43.4s

引擎pi

✓

可以安装

No action required. Consider rotating the hardcoded API token periodically as a best practice.

安全发现 2 项

严重性	安全发现	位置
低危	Environment variable access not documented 敏感访问 The script reads DASHBOARD_TOKEN, DASHBOARD_PHONE, DASHBOARD_PASSWORD environment variables for authentication, but SKILL.md only mentions 'built-in token, no configuration needed'. `token = os.getenv("DASHBOARD_TOKEN") or DEFAULT_TOKEN` → Document optional environment variables in SKILL.md for transparency	`scripts/video_quick_gen.py:80`
低危	Hardcoded API token in source 凭证窃取 A default API token is embedded in the source code at line 75. While this is a service token (not user credentials), hardcoding tokens is a poor security practice. `DEFAULT_TOKEN = "atk_ajhhuxTyHciMIxZQ_vt_boqVeG_zTr4Ix9REWuVBXSc"` → Use only environment variable for token; remove default from source or document it clearly	`scripts/video_quick_gen.py:75`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares video output; scripts/video_quick_gen.py:178 _download() write…
网络访问	`READ`	`READ`	✓ 一致	SKILL.md declares API base URL; code makes POST/GET to /video/script/gen, /video…
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
环境变量	`NONE`	`READ`	✓ 一致	Lines 80-87 read DASHBOARD_TOKEN, DASHBOARD_PHONE, DASHBOARD_PASSWORD env vars -…
技能调用	`NONE`	`NONE`	—	No skill invocation found
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

2 项发现

🔗

中危外部 URL 外部 URL

https://xiaonian.cc

SKILL.md:12

🔗

中危外部 URL 外部 URL

https://xiaonian.cc/employee-console/dashboard/v2/api

SKILL.md:13

3 文件 · 11.4 KB · 342 行

Python 1f · 252L Markdown 2f · 90L

├─ ▾ 📁 references

│ └─ 📝 video-api.md Markdown 33L · 682 B

├─ ▾ 📁 scripts

│ └─ 🐍 video_quick_gen.py Python 252L · 9.1 KB

└─ 📝 SKILL.md Markdown 57L · 1.6 KB

包名	版本	来源	已知漏洞	备注
`urllib (stdlib)`	`built-in`	Python stdlib	否	No third-party dependencies

✓ No shell execution or arbitrary command execution

✓ No obfuscation (no base64, eval, or anti-analysis techniques)

✓ No credential harvesting beyond API authentication

✓ No data exfiltration or C2 communication

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No download/execution of remote scripts

✓ Standard library only (urllib) - no third-party dependencies

✓ HTTP requests limited to declared API endpoints

✓ File write limited to explicit --out parameter with user-controlled path

✓ Clear workflow: script gen → task create → poll state